2. Conduct frequent audit trails.
In the corrective action plan Anthem agreed to as part of its settlement, one potential HIPAA violation was Anthem’s failure to meet “[t]he requirement to implement sufficient procedures to regularly review records of information system activity.” The corrective action plan requires Anthem to address its deficiencies uncovered during the OCR’s investigation and report its compliance to the OCR. How does your practice stand up?
Audit trails can help practices determine if someone is attempting to hack in, whether the hack was successful, and how to mitigate the hack before it causes major compliance headaches, among other issues. While this can take an office manager or physician a significant amount of time, it is still cheaper than fines. Conducting audit trails is also necessary to protect ePHI and comply with HIPAA.
3. Ensure written policies and procedures are followed when granting access to staff, vendors, and/or software programs.
HIPAA auditors will ask practices multiple questions with respect to written policies and procedures. They likely will begin by asking, “Do you have written policies and procedures?” If so, they will follow up by asking, “Do you have written policies and procedures for granting access to your ePHI to staff, vendors, and/or software concerning who actually need access?” If the answer is also yes, they will ask, “Have you sufficiently trained your staff on these policies and procedures?”
Answer no to any of these questions, and your practice could be subject to penalties similar to those OCR imposed upon Anthem. Practices should focus on prospective compliance instead of spending hard-earned resources resolving OCR disputes. It is better for a practice to be proactive than reactive when it comes to HIPAA compliance. Therefore, it is vital to ensure your practice has written policies and procedures and has trained your staff on those policies and procedures.
Anthem likely is wishing it had prospectively complied with HIPAA, as doing so may very well have helped avoid the OCR’s stiff fine. Anthem has legal, risk management, and compliance teams dedicated to HIPAA compliance. They were still targeted and hit by cyberattacks and, subsequently, tagged with massive penalties from the OCR.
If you are a practice group owner, or are a member of a small practice group, who is protecting you? Are you simply relying on your office manager or compliance officer to keep you in compliance? Is this person qualified?
Anthem has 16 million reasons why simply trusting your HIPAA compliance team may be insufficient. Instead, your practice should heed the words of former President Ronald Reagan and, “Trust, but verify.” Doing so could help your practice group ensure HIPAA compliance and avoid breaches and OCR penalties.
Kyle Haubrich, JD, is counsel at Sandberg Phoenix in St. Louis and focuses his practice on the rapidly evolving areas of healthcare law—specifically on HIPAA and MACRA regulations—for individuals, group practices, and hospital-based physicians.
Jacob Grimes, JD, is an associate attorney at Sandberg Phoenix, where he is a member of the firm’s health law practice group. Jacob’s practice focuses on advising healthcare entities and providers on regulatory matters and defending medical malpractice claims.